Hackers exploited a critical zero-day vulnerability in Gladinet's Triofox file-sharing platform, identified as CVE-2025-12480. This vulnerability allowed unauthorized access through a manipulation of HTTP host headers. By changing the host header value to “localhost,” attackers could bypass security controls and access restricted configuration pages. The flaw was in the CanRunCriticalPage() function, which failed to validate the origin of requests, enabling remote access. After gaining access, the attackers—identified as UNC6485—created a new admin account named “Cluster Admin.” They then exploited the platform's anti-virus feature, redirecting it to execute their malicious batch script instead of legitimate security software. This misconfiguration allowed them to deploy various tools, including remote access software like Zoho and AnyDesk, and establish encrypted connections to their command-and-control servers. Mandiant detected the intrusion quickly, noting unusual file activity and HTTP log entries indicating exploitation. Organizations using Triofox need to upgrade to version 16.7.10368.56560 or later immediately. It's essential to audit administrator accounts for unauthorized entries, verify anti-virus configurations, and monitor for any unusual outbound SSH traffic to detect ongoing compromises.